All the other topics posted here have no answers on how to import other user data. There are examples online of how to write custom SPIs to do a single user migration on the fly when the user logs in but this assumes that your other provider will always be available. Is there a way to bulk migrate users?
The last comment in the link above states that you could create a user import JSON and have Keycloak import old users in this fashion. Is this still a valid way or the way to do something like this?
I have tried this with the newer User JSON import format but it is not working and I am not sure if I am just doing it incorrectly or if it just doesn’t work anymore.
It’s ok. I guess I should have waited a little bit.
The only issue with the just-in-time migration is going to be that you will either have to always keep that legacy DB (provider) up and running or create some cutoff time limit of when to mass migrate the rest of the users and have them change their password. Correct?
I did see the plugin in my research but thank you again for putting it on my radar.
That’s right. I’ve implemented this for a few customers, and it really depends on your use case. Some of them chose to leave it in place. Others sent an email asking users to log in within a specific amount of time. Others did a manual check after some time period, and just manually created account in Keycloak for the “missing” users, who could do a “reset password” (assuming they have an email for the user).
I’ve also done a one-time bulk import from existing user data via the JSON import. This does work, but needs a bit effort to get all the attributes right. Especially regarding the passwords - if the source system has another hashing algorithm (other than pbkdf2) used, you will have to provide this as a hashing algorithm provider in Keycloak first.
Your credential example looks like the ones I have here in my environment (except that secretData has also a value (serialized JSON like credentialData), and also the id is filled!
If Keycloak just should use the bcrypt algorithm to compare stored password hashes, you don’t have to do anything else than putting the JAR into the providers folder. If Keycloak should use bcrypt also to create hashes on newly created/updated passwords, you’ll have to configure it as a “Password Policy” (there’s a “Hashing algorithm” policy available). It sounds a bit strange that this is a policy, but it is like it is.